The Hacker News — Cyber Security, Hacking, Technology News

Last month, the Federal Bureau of Investigation (FBI) was ordered to reveal the complete source code for the TOR exploit it used to hack visitors of the world’s largest dark web child pornography site, PlayPen.

Robert J. Bryan, the federal judge, ordered the FBI to hand over the TOR browser exploit code so that defence could better understand how the agency hacked over 1,000 computers and if the evidence gathered was covered under the scope of the warrant.

Now, the FBI is pushing back against the federal judge’s order.

On Monday, the Department of Justice (DOJ) and the FBI filed a sealed motion asking the judge to reconsider its ruling, saying revealing the exploit used to bypass the Tor Browser protections is not necessary for the defense and other cases.

In previous filings, the defence has argued that the offensive operation used in the case was "gross misconduct by government and law enforcement agencies," and that the Network Investigative Technique (NIT) conducted additional functions beyond the scope of the warrant.

The Network Investigative Technique or NIT is the FBI's terminology for a custom hacking tool designed to penetrate TOR users.

This particular case concerns Jay Michaud, one of the accused from Vancouver, Washington, who was arrested in last year after the FBI seized a dark web child sex abuse site and ran it from agency’s own servers for the duration of 13 days.

During this period, the FBI deployed an NIT tool against users who visited particular, child pornography threads, grabbing their real IP addresses among other details. This leads to the arrests of Michaud among others.

The malware expert, Vlad Tsyrklevich held by the defense to analyse the NIT, said that it received only the parts of the NIT to analyse, but not sections that would ensure that the identifier attached to the suspect's NIT-infection was unique.

"He is wrong," Special Agent Daniel Alfin writes. "Discovery of the 'exploit' would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud's computer, not what it did once deployed."

In a separate case, the Tor Project has accused the FBI of paying Carnegie Mellon University (CMU) at least $1 Million to disclose the technique it had discovered that could help them unmask Tor users and reveal their IP addresses. Though, the FBI denies the claims.

The security researchers from Carnegie Mellon University (CMU) were hired by the federal officials to discover a technique that could help the FBI Unmask Tor users and Reveal their IP addresses as part of a criminal investigation.

Yes, a federal judge in Washington has recently confirmed that the computer scientists at CMU's Software Engineering Institute (SEI) were indeed behind a hack of the TOR project in 2014, according to court documents [PDF] filed Tuesday.

In November 2015, The Hacker News reported that Tor Project Director Roger Dingledine accused the Federal Bureau of Investigation (FBI) of paying the CMU, at least, $1 Million for providing information that led to the criminal suspects identification on the Dark Web.

After this news had broken, the FBI denied the claims, saying "The allegation that we paid [CMU] $1 Million to hack into TOR is inaccurate."

Meanwhile, the CMU also published a press release, saying the university had been subpoenaed for the IP addresses it obtained during its research.

The revelation came out as part of the ongoing case against Brian Richard Farrell, an alleged Silk Road 2 lieutenant who was arrested in January 2014. It has emerged that the federal officials recruited a "university-based research institute" that was running systems on the Tor network to help authorities uncover the identity of Farrell.

University Researchers Helped FBI Hack TOR

Now, a recent filing in one of the affected criminal cases has confirmed both the name of the "university-based research institute" and the existence of a subpoena.

Some earlier allegations by the TOR project seem to be wrong. The research was funded by the Department of Defense, which was later subpoenaed by the FBI.

Here's what the Tuesday court order, by US District Judge Richard Jones, filed in the case of Farrell reads:

"The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) when SEI was conducting research on the Tor network which was funded by the Department of Defense (DOD)."
"Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU."

Farrell is charged with conspiracy to distribute drugs like cocaine, heroin, and methamphetamine through the Silk Road 2.0 dark web marketplace.

$1.73 Billion to UnMask TOR Users?

Last summer, the DoD renewed a contract worth over $1.73 Billion with the SEI, which according to CMU, is the only federally funded research center that focus on "software-related security and engineering issues."

Carnegie Mellon University's SEI came under suspicion for the TOR hack due to the sudden cancellation of the talk from SEI researchers Michael McCord and Alexander Volynkin on de-anonymizing Tor users at Black Hat 2014 hacking conference.

More details on the matter are still unclear, but the judge confirmed few facts about the TOR and stated that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."

Yes, Tor browser is in danger of being caught once again by the people commonly known as "Spies," who's one and only intention is to intrude into others’ network and gather information.

A team of security researchers from Massachusetts Institute of Technology (MIT) have developed digital attacks that can be used to unmask Tor hidden services in the Deep Web with a high degree of accuracy.

The Tor network is being used by journalists, hackers, citizens living under repressive regimes as well as criminals to surf the Internet anonymously. A plethora of nodes and relays in Tor network is used to mask its users and make tracking very difficult.

Any user when connects to Tor, the connection gets encrypted and routed through a path called a "circuit." The request first reaches an entry node, also known as a 'Guard' that knows the actual IP address of the user, and then goes through every hop in the route and finishes off a communication circuit via "exit nodes."

However, in some cases, an attacker could passively monitor Tor traffic to figure out the hidden service accessed by a user and even reveal the servers hosting sites on the Tor network.

Revealing identities without decrypting the TOR Traffic

Recently, Net Security team from MIT and the Qatar Computing Research Institute claimed to find a new vulnerability in the Tor's Guard gateway that can be exploited to detect whether a user is accessing one of Tor's hidden services.

They explained, Tor's Guard Gateways could be masqueraded and the packets coming from the user could be made to travel through attacker’s malicious ‘setup’ node acting as an Entry node.

In a proof-of-concept attack published this week, the researchers described this technique as "Circuit Fingerprinting,"...

...kind of behavior biometric, which includes series of passive attacks, allowing spies to unmask Tor users with 88 percent accuracy even without decrypting the Tor traffic.

This new alternative approach not only tracks the digital footprints of Tor users but also reveals exactly which hidden service the user was accessing; just by analyzing the traffic data and the pattern of the data packets.

"Tor exhibits fingerprintable traffic patterns that allow an [enemy] to efficiently and accurately identify and correlate circuits involved in the communication with hidden services," says the team.

"Therefore, instead of monitoring every circuit, which may be costly, the first step in the attacker's strategy is to identify suspicious circuits with high confidence to reduce the problem space to just hidden services."

The technique nowhere breaks down the layered encrypted route of Tor network, so being encrypted doesn't make your identity anonymous from others.

Does the vulnerability Really utter Truth?

The Tor project leader Roger Dingledine raises a question to the researchers asking about genuineness of the accuracy that the Traffic fingerprinting technique delivers....

... leaving the researchers and the users confused.

As for the Tor, it is considered to be a popular browser that protects your Anonymity while accessing the Internet. However, with the time and successful breaches, it seems that this phenomenon of the Tor network could get depleted.

According to the MIT News article, the fix was suggested to Tor project representatives, who may add it to a future version of Tor.

The huge cache of internal files recently leaked from the controversial Italian surveillance software company Hacking Team has now revealed that the Federal Bureau of Investigation (FBI) purchased surveillance software from the company.

The leaked documents contains more than 1 Million internal emails, including emails from FBI agent who wanted to unmask the identity of a user of Tor, the encrypted anonymizing network widely used by activists to keep their identities safe, but also used to host criminal activities.

Unmasking Tor User

In September last year, an FBI agent asked Hacking Team if the latest version of its Remote Control System(RCS), also known as Galileo - for which the company is famous for, would be capable to reveal the True IP address of a Tor user.

The FBI agent only had the proxy IP address of the target, as according to FBI, the target may be using Tor Browser Bundle (TBB) or some other variant. So, the agent wanted to infect the target's computer by making him download a malicious file.

"We'll need to send him an email with a document or PDF [attachment] to hopefully install the scout [Hacking Team's software]," the FBI agent wrote in the email.

In response to the FBI agent query, A Hacking Team staff member said that once the target's computer is infected, "if he is using TBB you will get the real IP address of the target. Otherwise, once the scout is installed…you can inspect from the device evidence the list of installed programs."

FBI Spent $775,000 on Hacking Team's Spying Tools

So far, it isn't known whether the agents were succeeded in revealing the IP address of the target Tor user or who the target was, but internal emails clearly indicates that this FBI agent took full advantage of Hacking Team's service to unmask Tor users.

"[The FBI] continue to be interested in new features all the more related to TOR, [virtual private networks] VPN and less click infections," the same FBI agent said in other emails. "In the past their targets were 20 per cent on TOR, now they are 60 per cent on TOR."

Overall, the FBI has spent nearly $775,000 on Hacking Team's spy tools since 2011, Wired reports, although the internal emails indicate that the Remote Control System (RCS) tools were used as a "back up" for some other system the agency is already using.

Remote Control System (RCS), or Galileo, is the advanced and sophisticated spyware tool for which the Hacking Team is famous. It came loaded with lots of zero-day exploits and have the ability to monitor the computers of its targets remotely.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

A critical vulnerability in Tor— an encrypted anonymizing network considered to be one of the most privacy oriented service, which is used by online users in order to hide their activities from law enforcement, government censors and others — was probably being used to de-anonymize the identity of Tor users, Tor project warned on Wednesday.

115 MALICIOUS ToR RELAYS WERE DE-ANONYMIZING USERS

According to a security advisory, Tor Team has found a group of 115 malicious fast non-exit relays (6.4% of whole Tor network), those were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users.

"While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected," Tor said.

When you use Tor anonymizing network, your IP address remains hidden and it appears that your connection is coming from the IP address of a Tor exit relay or nodes, making it very difficult for anyone — malicious actor or a government spy agency — to tell where traffic is coming from and going to.

All the identified malicous relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 for over 5 months this year. According to the team, these evil relays were trying to de-anonymize Tor users who visit and run so-called hidden services on Deep Web i.e. “.onion”.

UPGRADE TO LATEST TOR RELEASE

Tor Project leaders urged Tor relay operators to upgrade Tor software to a recent release, either 0.2.4.23 or 0.2.5.6-alpha, in order to close the critical vulnerability that was actively being exploited in the wild.

Tor team has now successfully removed all identified malicious relays from its Network and advised hidden service operators to change the location of their hidden service.

TAILS OS FLAW TO DE-ANONYMIZE USERS

Just few days back, we reported about a similar issue in TAILS OS, a privacy and security dedicated Linux-based operating system. A critical zero day vulnerability was discovered by the researcher at Exodus Intelligence that could help attackers or law enforcements to de-anonymize anyone’s identity. Researcher said the flaw actually lies in the I2P software that’s bundled with the Operating System.

However, Exodus Intelligence is working with the the Debian-based Linux distribution - Tails and I2P coders to get the patch soon.

RUSSIA OFFERS $114,000 FOR CRACKING ToR

Till now, Tor network was major target for U.S National Security Agency and FBI, but something quite creepy also came into limelight just after the zero-day flaws discovered in the Tails operating system.

The Russian government also wants to crack Tor anonymizing network for which it is offering almost 4 million ruble (approximately equal to $111,000) for successful exploit.

ToR FLAW RELATED TO CANCELED BLACKHAT TALK?
The vulnerability could be related (but not for sure) to the research done by Alexander Volynkin and Michael McCord from Carnegie Mellon University i.e “Attacking Tor and de-anonymizing users”, which was originally scheduled to be delivered at Black Hat USA Conference this year. But unfortunately their talk was cancelled two weeks before, because their material had not been approved by the SEI for public release.

The Russian government is offering almost 4 million ruble which is approximately equal to $111,000 to the one who can devise a reliable technology to decrypt data sent over the Tor, an encrypted anonymizing network used by online users in order to hide their activities from law enforcement, government censors, and others.

The Russian Ministry of Internal Affairs (MVD) issued a notice on its official procurement website, originally posted on July 11, under the title "шифр «ТОР (Флот)»" ;which translates as "cipher 'TOR' (Navy)" an open call for Tor-cracking proposals whose winner will be chosen by August 20.

The MIA specifically wants researchers to “study the possibility of obtaining technical information about users and users' equipment on the Tor anonymous network,” according to a translated version of the Russian government’s proposal.

Only Russian nationals and companies are allowed to take part in the competition "in order to ensure the country's defense and security." The participants require to pay a 195,000 ruble (about $5,555) application fee in order to participate in the competition.

Tor, which was actually invented at the U.S. Navy, anonymizes the identity of an online user by encrypting their data and sending it through a unique configuration of nodes known as an onion routing system – making it difficult to trace.

Now in the hands of a nonprofit group, the project continues to receive millions of dollars in funding from the U.S. government every year, but boasts approximately 4 million users worldwide, among them many tech-savvy digital activists in countries where technical censorship and surveillance are prevalent.

Tor has encountered problems in Russia before. Nonetheless, the MVD had previously sought to ban the use of any anonymizing software, though the proposal was dropped last year.

SERIOUS THREAT FOR ACTIVISTS AND WHISTLEBLOWERS
Anonymity, which is of everybody’s interest, specially of activists, journalists, researchers, whistleblowers, who uses Tor anonymity service to hide their activities, are now under great threat from both sides.

In my opinion, announcing a million dollar competition doesn’t provide any government full authority to hack the widely used anonymity network. Such move has put both, Russian and U.S Governments in the same category.

Tor has been the constant target of government intelligence agencies and other entities seeking to unveil the identities of anonymous Internet users. Even the U.S. government intelligence agency NSA and U.K. intelligence GCHQ made multiple attempts and spend significant resources to target users of Tor and to break Tor program’s anonymity as revealed by Global surveillance whistleblower Edward Snowden last year.

Last year, it was revealed that a zero-day vulnerability in Firefox was used to unmask users of the privacy-protecting “hidden services” Tor, which was estimated to be an effort of the FBI in order to crack down on Freedom Host, a Tor server provider, as part of a child pornography case.

A talk at the upcoming Black Hat security conference in August entitled 'You don't have to be the NSA to Break Tor: De-Anonymizing Users on a Budget,' by the researchers from Carnegie Mellon University was abruptly pulled earlier this week, because the materials they would discuss have not been approved for public release by the university or the Software Engineering Institute (SEI).

Just few days ago, Exodus Intelligence reported that its researchers had found a critical zero-day security vulnerability in the privacy and security dedicated Linux-based TAILS, an operating system designed to be booted from a CD or USB stick that uses Tor and other services to hide the identity of the users and leave no trace of their activities on their computer machines. While, the developers with the Tor Project said that they are working on the issues to fix the weakness as soon as possible.